特邀讲者：Xinming Ou  博士，美国肯色斯州立大学副教授

演讲题目：Logic-based, data-driven enterprise network security analysis

内容简介：

Modern enterprise networks have grown to a complexity level where human administrators can hardly keep pace with the ever changing threats in terms of software vulnerabilities, misconfiguration in both network infrastructure and end hosts, as well as the various data and computing assets needing protection. How to reason about such diverse information to understand the security risks has become a significant challenge in managing enterprise networks security, especially with the increasingly sophisticated attacks we see today. In this talk, I will describe the MulVAL enterprise security analysis framework. MulVAL started as a logic-based attack-graph tool suite that takes as input Datalog tuples and rules representing diverse configuration information and security knowledge.

A Datalog proof engine then efficiently computes all possible multi-stage, multi-host attack paths and present them in the form of an attack graph. Such attack graphs lend themselves to further advanced analysis which can answer questions such as what need to be done to address the potential security risks in the mean time also minimizing the cost to the organization.

We present an approach based on SAT-solving that can turn such questions into a well-studied Boolean Satisfiability Solving problem, and demonstrate the feasibility of such approaches in managing realistic enterprise networks.

参加人员：IT领域专业人士、研究生、媒体、其他有兴趣者，还有信息安全国家重点实验室、中国人民大学、北京航空航天大学等邀请嘉宾。

 

特邀讲者：Xinming Ou  博士，美国肯色斯州立大学副教授

演讲题目：An Empirical Approach to Modeling Uncertainty in Intrusion Analysis

内容简介：

Uncertainty is an innate feature of intrusion analysis due to the limited views provided by system monitoring tools, intrusion detection systems (IDS), and various types of logs. Attackers are essentially invisible in cyber space and monitoring tools can only observe the symptoms or effects of malicious activities. When mingled with similar effects from normal or non-malicious activities they lead intrusion analysis to conclusions of varying confidence and high false positive/negative rates. In this talk I will present an empirical approach to the problem of uncertainty where the inferred security implications of low-level observations are captured in a simple logical language augmented with certainty tags. We have designed an automated reasoning process that enables us to combine multiple sources of system monitoring data and extract highly-confident attack traces from the numerous possible interpretations of low-level observations. We have developed our model empirically: the starting point was a true intrusion that happened on a campus network that we studied to capture the essence of the human reasoning process that led to conclusions about the attack.

We then used a Datalog-like language to encode the model and a Prolog system to carry out the reasoning process. Our model and reasoning system reached the same conclusions as the human administrator on the question of which machines were certainly compromised. We then automatically generated the reasoning model needed for handling Snort alerts from the natural-language descriptions in the Snort rule repository, and developed a Snort add-on to analyze Snort alerts. Keeping the reasoning model unchanged, we applied our reasoning system to two third-party data sets and one production network. Our results showed that the reasoning model is effective on these data sets as well. We believe such an empirical approach has the potential of codifying the seemingly ad-hoc human reasoning of uncertain events, and can yield useful tools for automated intrusion analysis.

 

 

参加人员：IT领域专业人士、研究生、媒体、其他有兴趣者，还有信息安全国家重点实验室、中国人民大学、北京航空航天大学等邀请嘉宾。

 

个人主页：http://people.cis.ksu.edu/~xou/  

Dr. Xinming (Simon) Ou is associate professor at Kansas State University. He received his PhD from Princeton University in 2005. Before joining Kansas State University, he was a post-doctoral research associate at Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS), and a research associate at Idaho National Laboratory (INL). Dr. Ou's research is primarily in enterprise network security defense, with a focus on attack graphs, security configuration management, intrusion analysis, and security metrics for enterprise networks. Dr. Ou directs research for the Argus group, the cybersecurity research group at Kansas State University. He leads the MulVAL attack graph project, which has been used by INL on critical infrastructure protection, by Defence Research and Development Canada -- Ottawa (DRDC-Ottawa) and NATO on a number of computer network defense projects, and by researchers from numerous academic institutions.

Dr. Ou's research has been funded by U.S. National Science Foundation, Department of Energy, Department of Defense, HP Labs, and Rockwell Collins. He is a recipient of 2010 NSF Faculty Early Career Development (CAREER) Award.